As you might have noticed, your inbox has been filling up as of late
with a number of updates service policies as well as new terms and
conditions. Most engineer you meet today are also in one way or
another dealing with the implications of the GDPR at the moment.

Exoscale has been the favored provider of many companies building
applications for the web, a field where GDPR has the largest
implication. There still seems to exist a lack of clarity and
understanding of what the GDPR means for people who host.

Below are some essential points that need to be considered, and should
be if you are building applications, whether you are in the EU or out
of it as long as you allow sign-ups from everywhere. By allowing
anyone to use your application or service, you become subject to the
GDPR for European customers. This advice obviously is not valid
legal advice, for which I would advise you to retain a counsel.

1. All data collection needs to happen on a lawful basis

There are only six lawful justification for data collection, as
mandated by GDPR:

The concerned party agrees to it. Concretely, everyone needs to
opt-in for collection.

The collected data is necessary to establish a contract. For
example, you need an email to create an account.

The collection is mandated by law. If you invoice customers, you
will need to keep those around.

Processing of the collected data presents a vital interest. This
may be true of medical data for instance.

Processing of the collected data is in the public interest. This
probably won’t ever be a reason for you as a private company and is
more likely to be the case for public institutions.

The collection is in the legitimate interest of the collecting
party. This is the most fuzzy notion, needs to be weight against
the personal interest of data subjects. The canonical use case for
this notion here is that your are in your lawful right to process a
customer’s address when shipping goods.

Anything falling out of this spectrum is considered unlawlful and will
be subject to fines if you insist on carrying it out. In the light of
the recent revelations around the practices of Facebook and other
entities, this should be considered great news. It might come at the
expense of adapting your application and the way you handle your newsletter
population but this will greatly improve your rights as consumer.

2. Date of agreements to all contracts must be stored

The gist of it is that you need to know when an account was created,
as well as when terms and conditions were accepted. This is most
likely all part of an account’s creation process but there now needs
to be simple ways to access acceptance dates.

3. You need a data processing agreement with your provider

The Data processing agreement or DPA is a document describing your
relationship with your hosting provider, stipulating that the data
being processed by the provider is confined to the strict minimum
necessary to provide the service.

In the case of Exoscale, this means holding on to your account and
billing details, as well as the list of resources you consume on
Exoscale for a short time, in order to produce usage metering
statements.

4. A full right to access and deletion

There should not only exist provisions to remove data upon request,
but to also provide full extracts. The current mandate is to fulfill a
request within 30 days of a request.

5. Data protection by design is now mandated

Product decisions which touch area must exhibit proof that they were
designed with data protection in mind. This is one of the least
concrete and immediately applicable mandates of the GDPR. From a
public-facing application’s point of view, a clear internal
documentation of the way data is treated is the initial step we would
recommend.

6. Breach reporting and investigation procedures must exist

Companies that act as data processors now need process around
reporting and investigation of breaches of data processing and data
collection rules.

Corrolary to this, a Data processing officer needs to be named to
own the surrounding process.

Did you like this post? Then you’ll love our Cloud Platform. Try it now!